British and American security officials conclude that the WannaCry cyberattack, which severely disrupted the NHS, was launched from North Korea and likely intended to raise funds for the isolated regime.
Cyber warfare has become an escalating global concern, with attacks linked to states such as Russia and North Korea increasing in frequency and impact. Earlier this year, US President Obama reportedly issued a “red phone” warning to the Kremlin amid allegations of Russian interference in US elections, reflecting how state-sponsored or state-tolerated cyber activity can have far-reaching political consequences.
Analysts say a key operational mistake by the attackers has made tracking the ransom payments straightforward.
A previous high-profile intrusion, the hack of Sony Pictures, was attributed to the North Korean-affiliated group Lazarus after attackers locked employees out of their systems and published private data and unreleased films online.
Security experts now point to Lazarus as the likely perpetrator of the WannaCry outbreak, which spread a ransomware strain exploiting a Windows vulnerability first discovered and reportedly stockpiled by the US National Security Agency (NSA) before details were leaked.
The ransomware propagated rapidly across networks worldwide, but the United Kingdom’s National Health Service suffered the most visible and tangible consequences: critical systems were taken offline, appointments and surgeries were delayed or canceled, and patient care was disrupted in many locations.
WannaCry demanded a payment of $300 per infected PC, doubling to $600 if the fee was not paid within three days. Investigators estimate the attackers collected roughly $140,000 in ransom, paid in Bitcoin. That choice of cryptocurrency, combined with operational errors in how payments were handled, appears to have undermined the attackers’ efforts to remain anonymous.
It was the UK’s health service that was impacted the most, with some critical systems taken offline and many services interrupted.
Cybersecurity analysts say the attackers made mistakes that made the Bitcoin transactions easy to trace, enabling law enforcement and researchers to follow the funds. Jake Williams, founder of cybersecurity firm Rendition Infosec, compared handling the tainted Bitcoin to “knowingly taking tainted bills from a bank robbery,” explaining why many online exchanges refused to process those funds.
Britain’s National Cyber Security Centre (NCSC) led an international investigation and concluded in recent weeks that North Korea was responsible for the attack. The NSA later assessed with “moderate confidence” that the operation was tied to North Korea’s primary intelligence unit, the Reconnaissance General Bureau.
Because of the opaque nature of the North Korean state and its security apparatus, definitive details about the chain of command or who specifically ordered the attack remain unclear. Experts suggest the attackers did not anticipate how quickly WannaCry would spread or the international attention it would draw, which in turn increased scrutiny of origin and motive.
What are your thoughts about the WannaCry cyberattack revelations? Let us know in the comments.